overlapping cisco avpairs (UCS+IOS)

2013-03-05 Thread Jimmy Stewpot 
Hello,

For some time we have been using freeradius to provide authentication to our 
networking estate. Recently we introduced the Cisco UCS. The problem that we 
now have is it appears that we have a conflict in the VSA attributes required 
to provide the right levels of access to end users.

We have always had the Cisco-AVPAIR of shell:priv-lvl=15 which has been 
working for some time. With the Cisco UCS platform we need to introduce an 
additional shell: variable which looks like this shell:roles=admin. I have 
tried to add the variables to our users file with a += but the values are never 
accepted by the end Cisco device. It seems that only the first-to-be-received 
is actually activated on the Cisco device. I have bene playing around with 
various formats in the users file without any success. I am interested to know 
if anyone else has had such issues and if so what the solution is?

I am currently running with Freeradius v2.1.12 provided as a part of the Redhat 
EL6 distro. We have our users in an Active Directory tree using the ldap plugin.

our users file looks like this currently.

DEFAULT LDAP-Group == Network Full Access
  Cisco-AVPAIR=shell:priv-lvl=15

I've tried the following

DEFAULT LDAP-Group == Network Full Access
  Cisco-AVPAIR=shell:priv-lvl=15, roles=admin

- Fails.. both networking and UCS result in read-only or no access.

DEFAULT LDAP-Group == Network Full Access
  Cisco-AVPAIR=shell:priv-lvl=15,roles=admin

- Fails.. both networking and UCS result in read-only or no access.

DEFAULT LDAP-Group == Network Full Access
  Cisco-AVPAIR=shell:priv-lvl=15,
  Cisco-AVPAIR+=shell:roles=admin

- Works with the switch/router estate but not with UCS.

If i do a debug on the device it always matches the first entry in the returned 
attributes and discards the second. If I remove the priv-lvl=15 and only have 
shell:roles=admin and it works for UCS but the switch and router estate fails. 
Any assistance would be greatly appreciated.

Regards,

Jimmy.







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius authentication against LDAP question

2012-05-31 Thread Jimmy 
How do I enable Freeradius to not only authenticate the a user but
verify a specific attribute for the user? I've been going though the
docs but this is escaping me.

Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in replay cache code

2011-06-14 Thread Jimmy 
I have Kerberos 1.6 configured to use OpenLDAP 2.3.43 as a back end. I
am trying to configure Freeradius 2.1.7 to authenticate to Kerberos.

I am having problems getting Freeradiusto authenticate while started
in daemon mode. When the process is started in debug mode it seems to
funciton, but authentications while in daemon mode return the error:

Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in 
replay cache code

Since authentication works in debug mode I'm not sure what I can give
to support the error besides the krb5kdc/slapd/radius log outputs and
the client side output. Functional output of debug mode is included as
well. I appreciate any help you can provide. If I should post any
config files please let me know what you would like to see. Thank you
very much.

*client side output*
radtest test1@CSP-BACK qwer krb 1812 SharedSecret
Sending Access-Request of id 213 to  [SERVER IP ADDRESS ] port 1812
    User-Name = test1@CSP-BACK
    User-Password = qwer
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1812
rad_recv: Access-Reject packet from host [SERVER IP ADDRESS ] port
1812, id=213, length=20
***
*radius log*
Tue Jun 14 16:17:23 2011 : Auth: rlm_krb5: [test1@CSP-BACK]
krb5_rd_req() failed: Permission denied in replay cache code
***
*krb5kdc log*
Jun 14 16:17:22 krb.csp krb5kdc[10954](info): AS_REQ (12 etypes {18 17
16 23 1 3 2 11 10 15 12 13}) [SERVER IP ADDRESS ]: ISSUE: authtime
1308082642, etypes {rep=18 tkt=18 ses=18}, test1@CSP-BACK for
krbtgt/CSP-BACK@CSP-BACK
Jun 14 16:17:23 krb.csp krb5kdc[10954](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2})  [SERVER IP ADDRESS ]: ISSUE: authtime 1308082642,
etypes {rep=18 tkt=18 ses=18}, test1@CSP-BACK for
radius/krb.csp@CSP-BACK

*slapd log*
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=54 SRCH
base=cn=KRB,dc=CSPKRB scope=2 deref=0
filter=((|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=test1@CSP-BACK))
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=54 SRCH
attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage
krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled
modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=54 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=55 SRCH
base=cn=KRB,dc=CSPKRB scope=2 deref=0
filter=((|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/CSP-BACK@CSP-BACK))
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=55 SRCH
attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage
krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled
modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=55 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=56 SRCH
base=cn=KRB,dc=CSPKRB scope=2 deref=0
filter=((|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/CSP-BACK@CSP-BACK))
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=56 SRCH
attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage
krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled
modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=56 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=57 SRCH
base=cn=KRB,dc=CSPKRB scope=2 deref=0
filter=((|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=radius/krb.csp@CSP-BACK))
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=57 SRCH
attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage
krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled
modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=57 SEARCH RESULT tag=101
err=0 nentries=1 text=